Wednesday, 7 March 2012

CWWIM4520E The 'javax.naming.ServiceUnavailableException - Fun and Games with WebSphere Application Server and Microsoft Active Directory

So I've seen two semi-related issues between WebSphere Application Server (WAS) 7 and Active Directory in the past 24 hours.

In the first instance, I saw: -

[06/03/12 17:00:58:130 GMT] 0000001a exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.ServiceUnavailableException: ldap_f5.server.ibm.com:636; socket closed' naming exception occurred during processing.

[06/03/12 17:00:58:131 GMT] 0000001a exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext 
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.ServiceUnavailableException: ldap_f5.server.ibm.com:636; socket closed' naming exception occurred during processing.
...

This turned out to be due to a mis-configured load balancer ( Big IP F5 ) which wasn't "passing" traffic through to the back-end Active Directory domain controllers.

Once I changed WAS to use one of the DCs rather than the Big IP load-balanced hostname ( aka Virtual IP or VIP ), I then saw: -

...
[07/03/12 11:19:38:463 GMT] 0000002a ServerCache   I   DYNA1071I: The cache provider "default" is being used. 
[07/03/12 11:19:38:655 GMT] 0000002a exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece^@]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@4ae04ae0'' naming exception occurred during processing.

[07/03/12 11:19:38:657 GMT] 0000002a exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext 
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 775, vece\u0000]; Resolved object: 'com.sun.jndi.ldap.LdapCtx@4ae04ae0'' naming exception occurred during processing.
...

Thanks to this Technote: -


I fairly quickly discovered that the problem was: -

...
The AD-specific error code is the one after "data" and before "vece" or "v893" in the actual error string returned to the binding process

525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked

e.g. that the so-called service account that we're using to bind to the Domain Controller had been locked.

My AD specialist confirmed this, and unlocked the account …..

Job done :-)

2 comments:

Butch Berlemann said...

This post just saved me a bunch of research time. Thanks !

Dave Hay said...

@Butch - no worries, Dave